Archive for March 2010

If you follow internet security issues, then you probably know Jeremiah Grossman as the chief technology office of WhiteHat Security and the guy who coined the word “clickjack.”

Grossman started his career working for Amgen, Inc, a biotech company with offices in Asia, Australia, Europe, South America, Canada, and Mexico.

After leaving Amgen, Inc, Grossman became an information security officer at Yahoo!, which gave him the opportunity to perform intense security reviews for hundreds of web sites owned by the company.

In 2001, Jeremiah Grossman decided to start his own technology security firm in Santa Clara, CA. He had already earned a solid reputation as an expert in various security fields, so starting his own business probably seemed like the best way to take better command of his career. That way he could focus on the issues that interested him most.

Grossman built his reputation by researching important internet security problems such as cross site scripting attacks. He co-wrote a book about XSS attacks and defense, and talked at many events about cutting edge security issues. This quickly established him as a preeminent force in the industry.

The combination of expertise and speaking experience made Grossman an excellent source for the media. He and his words have appeared in prominent media outlets such as CNET, PC World, USA Today, InfoWorld, NBC News, The Financial Times, and the Washington Post.

It’s rare for a computer security nerd to gain this kind of public exposure, but it seems to suit Grossman well. He always seems calm and informative on camera.

IU redressing has been around for years, but it didn’t get the name “clickjacking” until Jeremiah Grossman and Robert Hansen of WhiteHat Security coined the term in 2008.

If you’ve been reading this blog regularly over the past few weeks, then you have probably figured out that internet security experts owe a lot to Grossman, not only for giving UI redressing a more customer-friendly name, but also for creating a force within the industry to protect web sites, organizations, and individuals from clickjack attacks.

Grossman has become spokesman for internet security, and he’s the go-to guy when industry specialists want information on clickjacking. In honor of Grossman’s efforts, I’ll be posting articles throughout the week that focus on his and WhiteHat Securities.

We often get bogged down in the technical details of internet security. The truth of the matter, though, is that the vast majority of professionals rely on the skills of a few geniuses to keep them ahead of cybercriminals. Grossman is one of those geniuses.

Instead of focusing on the technical details of clickjacking attacks, malware, and other security issues, this week’s articles will provide brief lessons in history and security philosophy. This will be a chance for us to learn about some of the most respected security specialists in the world, and will hopefully offer some important lessons that we can all apply to our internet use, regardless of whether we are laymen who just want to browse web sites safely or we are professionals interested in exploring the latest security technologies.

Yesterday I posted an entry explaining that smartphone users should pay attention to their web browsing to prevent clickjack attacks. That was just a general warning. Today I’d like to delve a little more into the details of smartphone clickjack attacks.

This is a prime example of why those of us who use iPhones, Blackberries, and similar devices should worry about clickjacking when we use our phones.

In this article, John Resig discusses his experience at a 2008 iPhone development camp where he met some people developing JavaScript for the device. While talking to these developers he learned that they kept running into a bug that was causing some web page elements to jump off the screen. They were still there, but the user could not see them.

This concerned Resig because of its potential clickjacking implications. He got a sample test from one of the guys so that he could experiment on his own to determine whether users could actually interact with any of the elements that jumped out of the iframe.

It didn’t take long before he had confirmed his suspicions.

Apple isn’t run by a bunch of dummies, though. They were quickly looking for a solution to this problem, which they released with the iPhone 2.2.

That solves that problem, but it’s always a matter of time before clickjackers and other cybercriminals find a way to use the iPhone’s security against itself. After all, clickjacking uses one of the fundamental elements of the internet to truck users into doing things that they don’t even know they are doing.

Apple’s speedy update that corrected this potential clickjacking problem is one of the reasons that it’s important for people to use the latest technology instead of relying on old devices and software. If you’re still using an iPhone that uses the old software, then you’re still susceptible to this clickjack attack.

This goes for other smart phones and browsers as well.

Granted, if you hold on to the device for about ten years without making any changes, then there’s a good chance that you’ll be in the clear. Once your tech gets old enough, very few hackers will even think to focus on you. Then again, you probably won’t be able to use it for much either, so it’s kind of a win-lose situation…

You face potential clickjacks whenever you go online. That includes times when you access web sites with your smart phone.

It doesn’t matter whether you have an iPhone, Blackberry, Acer Liquid, or any other type of phone. If you go online, then there is a risk that clickjacking could give your phone a virus.

This might sound weird to those who haven’t yet come to terms with the advanced state of wireless phone technology. Some people still think of them as just phones, but they are much more than that. They are small computers that can do many of the things that your laptop and desktop can do. Of course, performing these functions makes them susceptible to the same types of malware as your home computer.

Serious clickjackers are already focusing their efforts on sites that iPhones and similar devices use. It’s just a matter of time before people all over the world use their phones to access the internet more often than they use their computers.

Asian markets have already focused on this trend, and we now see that a huge number of people living in those countries have started using their phones more often to get online.

Sites like twitter.com will continue to push American and European markets in this direction, but those markets are still waiting for cell phone technology and service plans to catch up.

If you are ahead of the curve, then you already use your wireless phone to check email, watch videos, listen to music, and look up information. As you do these things, keep in mind that your phone isn’t safe from clickjacking, viruses, worms, and other types of malware.

I actually worry more about my phone’s susceptibility to clickjacking than my home computer. I keep more personal information on my phone than my home computer. My phone knows who my friends are, where I go, what my bank information is, where I work, and what my interests are. I rely on it every day to everyday things, and those are the bits of information that can unravel a person’s life most easily.

Keep your wits about you when you access web sites through your smartphone. Remember how much important information you have on this little computer and think about how much damage a clickjacked page could cause you.

I hope that showing these videos will make internet users more aware of what they are doing online. It’s easy to find web sites with silly games that involve repeatedly clicking on an image. A lot of them emulate the old Duck Hunt game, or some basic variation. I once saw one that encouraged me to point zits on a guy’s face.

These games seem harmless, but you never know what is lurking behind the veil. Guya11, who made the video above, claims that this particular clickjacking technique doesn’t work anymore because Adobe has updated its framebusting code. That’s certainly a good thing, but I have heard claims from people who have managed to get around Adobe’s updates.

Granted, these clickjack attackers could just be lying to me, but I prefer to accept their testimony and stay on the safe side.

Choosing software that has been designed to counter clickjack attacks is a good idea, but one of the best ways to prevent falling into one of these traps is to simply pay more attention to what you do online. Don’t click on any unnecessary icons and don’t play games unless you trust the site.

There are far too many internet users in the world who don’t have this basic understanding. Taking the proper precautions can protect your computer from viruses, worms, keyloggers, and other malware.

I like to think of every click as a turn down a street. I only turn down avenues when they take me to a place that I want to go. Every extraneous click could send you down a dark alley; eventually you’re going to get mugged.

There aren’t a whole lot of things that individuals can do to prevent clickjackers from making pages that contain phony buttons. Internet users, however, can use some security tools that will make them more aware of the things that clickjackers have done to certain pages.

One piece of software that can help you detect clickjacked pages is GuardedID. GuardedID is best known for its anti-keylogging features.

If you’re not familiar with keylogging programs: they capture your keystrokes, which allows cybercriminals to get information such as log-in IDs and passwords. Your employer probably also uses keylogging programs to make sure everyone focuses on work instead of wasting time on the internet.

GuardedID’s marketing strategy focuses so much on the software’s keylogging security features that I was a little surprised to learn that it also helps protect Internet users from clickjacking.

This software gives users the option to select different clickjacking security features. One option shows you a red dotted line around objects that are actually located on another page. Another option will show you the hidden buttons instead of the fake ones.

I’ve heard various reviews about GuardedID. Most of them, however, have been positive. I would say that it’s definitely better than not using anything at all. Still, you can’t expect any program to catch every security risk.

Some of the positive things about GuardedID is that it has a toolbar plug-in that works with some of the most popular browsers, including IE8 and Firefox. The software is also small, so it doesn’t take up a lot of memory.

CNET members have given GuardedID a four-star rating (out of a possible five stars), which tells me that it’s pretty good. On the other hand, the last time that I looked only three people had rated it. The esteemed CNET editors remain mute on the subject.

One of the obvious negatives is that you have to pay for GuardedID. You get 30 days of free use to try it out. After that, though, you have to cough up about $30. That’s not much to spend on security, but there is free software available that you might to try first.

Check out this YouTube video to see GuardedID stop clickjacking in its tracks.

Clickjacking can do more than just sign you up to follow Twitter accounts and grab your personal information. It can even take over your computer’s webcam and microphone. Seeing as how most new computers have built in video cameras, this is something definitely worth learning about.

In this CNET interview with Jeremiah Grossman, CTO of Whitehat Security, you find out how easy it is for someone to hijack your computers camera. Granted, Grossman is a bit of a genius when it comes to click jacking (he’s been at the forefront of clickjacking security for as long as we’ve known that it is a problem), so you can bet that click jacking is a little bit harder for the average person than it is for him.

Still, it’s frightening to see how quickly he makes a java button invisible and places it over another pages button. Certainly there are cybercriminals out there who are at least as good at this as Grossman. Maybe we’re just lucky that cyberjacking hasn’t completely ruined the small bit of trust that we have in the internet.

Grossman talks to his CNET host, Tom Merritt, about ways that computer users can protect themselves from this particular attack. Again, there aren’t a whole lot of options. Grossman mentions using No Script (it’s a Firefox extensive that inhibits javascript on a site’s page) and upgrading to Flash 10, which has better security features for webcams and microphones than earlier version.

Grossman’s favorite way to prevent people from taking pictures of him with his own camera while he’s surfing the net? Put a piece of Post-It Note over the camera lens.

As he saws, “if you can’t trust software, at least you can trust hardware.”

Personally, I find that scarier than just telling everyone that there isn’t a good answer. A piece of Post-It Note? One of the smartest computer security specialists in the world just told us to use Post-It Notes?

Subscribe

Click Jacking Jack syndicates its weblog posts
and Comments using a technology called
RSS (Real Simple Syndication). You can use a service like Bloglines to get
notified when there are new posts to this weblog.